Sanitize file_get_contents

Question

I want to use file_get_contents to implement a proxy so I can do ajax cross domain requests.

Querystring will be used to supply the URL to file_get_contents. Now the problem is people can muck around with the querystring in order to read local files on the server. I dont want this. Can someone get me a function to sinitize the querystring in order to accept only urls and not local files: ie:

?url=http://google.com.au - OK

?url=./passwords.txt - Not OK

Answer 1

$url = filter_var($_GET['url'], FILTER_SANITIZE_URL);

or

if($_GET['url'] === filter_var($_GET['url'], FILTER_VALIDATE_URL)) {
    ... your stuff here ...
}